conformance: add TLSRoute rejection conformance tests

[Thealisyed]

What type of PR is this?

/kind test
/area conformance-test

What this PR does / why we need it:
Add two new TLSRoute conformance tests that validate proper rejection
behavior and user feedback when a TLSRoute cannot attach to a Gateway:

1. TLSRouteInvalidNoMatchingListener: Verifies that a TLSRoute
referencing a port that doesn't exist on the Gateway receives
Accepted=False with Reason=NoMatchingParent.

2. TLSRouteInvalidNoMatchingListenerHostname: Verifies that a TLSRoute
with a hostname that doesn't match the Gateway listener hostname
receives Accepted=False with Reason=NoMatchingListenerHostname.

Both tests validate:
 - Route has correct rejection condition with appropriate reason
 - Route has no accepted parents in status
 - Gateway shows 0 attached routes

Also adds TLSRouteMustHaveNoAcceptedParents helper function to support
validation of TLSRoute rejection scenarios.

Does this PR introduce a user-facing change?:

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Thealisyed / name: Ali Syed (ae912b6)

[k8s-ci-robot]

Hi @Thealisyed. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rikatz]

/ok-to-test
/release-note-none

overall lgtm, I have tested locally with Istio and works as expected

/cc @rostislavbobo @snorwin @kl52752

[rikatz]

(as we work for the same company, I will leave the lgtm for someone else and then we can proceed with approval)

[rostislavbobo]

Thank you @Thealisyed for the conformance tests for rejection! This helps us to move TLSRoutes forward. Overall, looks good, just a couple of minot comments

[rostislavbobo]

don't we need to add kubernetes.NamespacesMustBeReady() here because we're we're creating an additional Gateway in this test and we need to wait for it to be ready

[rikatz]

make this HTTP, otherwise it will fail early. Usually controllers will drop this kind of configuration on listener already as you are enforcing a kind HTTPRoute, but a type listener.

Let's take a look into Istio example: https://github.com/istio/istio/blob/eab5fb0686458842f328ff53f0d985ec1fa6df5e/pilot/pkg/config/kube/gateway/conditions.go#L377

It already gets the listener type protocol to define what kind of routes can be added on kinds. If you enforce TLS and HTTPRoute, it may fail early

[rikatz]

actually this validation is broken.

You are passing 2 parentRefs here: https://github.com/kubernetes-sigs/gateway-api/pull/4433/files#diff-7d16187df452dee9c420da3b314b29038f0335dca12e33e125057fb69fa9a824R48-R52

So this will never work :) Because your controller is reporting 2 parentRefs.

[rikatz]

changes lgtm, I will defer for @rostislavbobo and @robscott for approval.

I think there are some conflicting scenarios on TLSRouteInvalidNoMatchingListener that we may need to take care, but given that the author of the PR will be out for the next week and we are willing to have all the TLSRoute conformance merged, probably me or @rostislavbobo can fix some things as followups

[rostislavbobo]

Thanks @Thealisyed for covering more cases and addressing comments! LGTM pending minor comments from my side

[rostislavbobo]

If I understand correctly, this Gateway is used by "tlsroute-not-allowed-kind" to verify that the TLSRoute is not attached when allowedRoutes.kinds doesn't list it.

In that case, wouldn't it be better to configure the listener with protocol: TLS instead of HTTP? So that we have a valid attachment that is only prevented by the allowedRoutes.kinds.

[rostislavbobo]

Again, I'd use a valid Gateway here for attachment to check that the wrong sectionName is the only preventing the attachment

[rostislavbobo]

Mind using v1alpha3 here and everywhere below?

[rostislavbobo]

there are some conflicting scenarios on TLSRouteInvalidNoMatchingListener that we may need to take care
probably me or @rostislavbobo can fix some things as followups

SG @rikatz , let's sync on that tmr

[rostislavbobo]

/lgtm

and taking my comments on me as the author of the PR is out

[rikatz]

@rostislavbobo I can fix them as a followup if you are out of time :D just let me know!

[rikatz]

/approve
/hold
Wait for some time and then we merge

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, rostislavbobo, Thealisyed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• conformance/OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rikatz]

/hold cancel
Given @rostislavbobo reviewed as a 2nd person (out of Red Hat) and we are ok with this approach, merging.

Rosti will followup on his own comments that are non-blocking for TLSRoute